HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack

Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack.

Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices.

The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March.

The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names, addresses, clinical information, medical record numbers, and physicians’ names.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals tested by AultWorks Occupational Medicine had a greater range of information exposed including name, address, date of birth, medical history, reports on physical examinations, the results of drug, hearing, and breathing tests, and other lab test results. Certain AultWorks Occupational Medicine patients also had their driver’s license number and/or Social Security number exposed. Social Security numbers were only exposed in cases where employers use Social Security numbers to identify employees/potential employees.

When the phishing attack was discovered Aultman Health Foundation performed a password reset to prevent any further unauthorized accessing of email accounts and ensured only strong, complex passwords could be set. Security monitoring has been improved to detect any future breaches more quickly and further security controls have been applied to email accounts to block future attacks. Employees have also been provided with further training to improve resilience to phishing attacks.

Aultman Health Foundation explained in a security breach FAQ that it was not possible to determine whether emails and email attachments containing PHI were opened and read by the individual(s) behind the attack; however, no reports have been received to date to suggest any information in the accounts has been misused.

All patients impacted by the incident have been advised to check their credit reports and Explanation of Benefits statements carefully for any sign of fraudulent use of their information and individuals whose driver’s license number or Social Security number were exposed have been offered complimentary credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.